This time, I talk about auditor instead of cybersecurity practitioner that I have come across.
In an ICS audit, auditor has questioned why the deployed anomalies detection does not have full coverage of all devices. This will impose cyber risks due to malicious traffic cannot be detect early.
Despite thorough elaboration with the following rationales, auditor is still not satisfied:
- The ICS is isolated from the Internet and not even any other peer ICS
- Within the ICS, the plant units are further zoned in the network such that cyber threats are contained prohibiting lateral movement to compromise the entire ICS
- The ICS is hardened with removable media lock down
- Outgoing process information data to other the repository in the ICS network is thru unidirectional gateway enforcing push out to avoid reverse TCP attack in the case of stateful network firewall
- Full coverage will have only very a small gain in detection capability and resources should be invested to other prioritized protection in a commercial organization
- The ICS is just a part of the plant, the physical condition of the plant is equally to maintain business target over the cyber portion. Then, exploring viable technology for plant physical anomalies detection is much worthwhile.
- Last but not least, the entire detection principle is designed and deployed by the cybersecurity team of the same organization. Regular review is always conducted
What is the lesson here? Auditor needs to understand the entire picture, listen to plant floor engineer, validate facts, upkeep domain knowledge regarding risk, exploitation, technical stuffs in order to rate an objective opinion to conclude the audit.